GithubHelp home page GithubHelp logo

gavz / miniupnpd_poc Goto Github PK

View Code? Open in Web Editor NEW

This project forked from b1ack0wl/miniupnpd_poc

0.0 0.0 0.0 21 KB

Read out-of-bounds PoC for miniupnpd <= v2.1

License: GNU General Public License v3.0

Python 100.00%

miniupnpd_poc's Introduction

Miniupnpd <=v2.1 read out-of-bounds vulnerability (PoC)

  • This vulnerability has been fixed within miniupnpd's master branch (https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94).
  • The vulnerability is triggered when sending a SUBSCRIBE request with a callback uri obj->path that is greater than 526 bytes.
  • The root cause is due to the lack of validating the return value of snprintf() since snprintf() returns the value of how many bytes it could of copied, not how many bytes it did copy.
  • As of Jan-25-2019 the PoC within this repro has been successfully tested against Google Wifi.
    • Other devices that utilize miniupnpd may be vulnerable as well.

Root Cause (upnpevents.c)

static void upnp_event_prepare(struct upnp_event_notify * obj)
{

	obj->buffersize = 1024; /* Static Buffer Size */
	obj->buffer = malloc(obj->buffersize);
	[...]
	obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
	                       obj->path, obj->addrstr, obj->portstr, l+2,
	                       obj->sub->uuid, obj->sub->seq,
	                       l, xml);
	obj->state = ESending;

static void upnp_event_send(struct upnp_event_notify * obj)
{
	int i;
	i = send(obj->s, obj->buffer + obj->sent, obj->tosend - obj->sent, 0);

Man Page Entry for snprintf()

RETURN VALUE

Upon successful return, functions return the number of characters printed 
(excluding the null byte used to end output to strings).

The functions snprintf() and vsnprintf() do not write more than size bytes 
(including the terminating  null byte ('\0')).  If the output was truncated 
due to this limit, then the return value is the number of characters 
(excluding the terminating null byte) which would have been written to the 
final string if enough space had been available. Thus, a return value of size 
or more means that the output was truncated.

Usage

usage: miniupnpd_poc.py [-h] [--callback_ip CALLBACK_IP]
                        [--callback_port CALLBACK_PORT] [--timeout TIMEOUT]
                        [--leak_amount LEAK_AMOUNT]
                        target_ip target_port

Miniupnpd <= v2.1 read out-of-bounds vulnerability

positional arguments:
  target_ip             IP address of vulnerable device.
  target_port           Target Port.

optional arguments:
  -h, --help            show this help message and exit
  --callback_ip CALLBACK_IP
                        Local IP address for httpd listener. (default: None)
  --callback_port CALLBACK_PORT
                        Local port for httpd listener. (default: None)
  --timeout TIMEOUT     Timeout for http requests (seconds). (default: 5)
  --leak_amount LEAK_AMOUNT
                        Amount of arbitrary heap data to leak (in Kb).
                        (default: 1)

Video

asciicast

  • 0wl

miniupnpd_poc's People

Contributors

b1ack0wl avatar rlkelly avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.